Cryptanalysis of FRS obfuscation based on the CLT13 multilinear map

Abstract

The authors present a classical polynomial-time attack against the branching program obfuscator of Fernando–Rasmussen–Sahai (for short FRS, Asiacrypt’17) (with one zerotest parameter), which is robust against all known classical cryptanalyses on obfuscators when instantiated with the CLT13 multilinear map. The first step is to recover a plaintext modulus of the CLT13 multilinear map. To achieve the goal, the Coron and Notarnicola (Asiacrypt’19) algorithm is applied. However, because of parameter issues, the algorithm cannot be used directly. In order to detour the issue, the authors convert an FRS obfuscator into a new programme containing a small message space. Through the conversion, the authors obtain two zerotest parameters and encodings of zero except for two non-zero slots. Then, they are used to mitigate parameter constraints of the message space recovering algorithm. Then, a cryptanalysis of the FRS obfuscation based on the recovered message space is proposed. The authors show that there exist two functionally equivalent programmes such that their obfuscated programmes are computationally distinguishable. Thus, the FRS scheme does not satisfy the desired security without any additional constraints.